SYMBOLCOMMON_NAMEaka. SYNONYMS
win.liteduke (Back to overview)

LiteDuke

Actor(s): APT 29


According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic.
ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

References
2020-05-18One Night in NorfolkKevin Perlow
@online{perlow:20200518:looking:eaa7bde, author = {Kevin Perlow}, title = {{Looking Back at LiteDuke}}, date = {2020-05-18}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/looking-back-at-liteduke/}, language = {English}, urldate = {2020-05-18} } Looking Back at LiteDuke
LiteDuke
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
Yara Rules
[TLP:WHITE] win_liteduke_auto (20220808 | Detects win.liteduke.)
rule win_liteduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.liteduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 09f8 01c6 0375d8 81c640b340c0 c1c609 01de 89cf }
            // n = 7, score = 200
            //   09f8                 | or                  eax, edi
            //   01c6                 | add                 esi, eax
            //   0375d8               | add                 esi, dword ptr [ebp - 0x28]
            //   81c640b340c0         | add                 esi, 0xc040b340
            //   c1c609               | rol                 esi, 9
            //   01de                 | add                 esi, ebx
            //   89cf                 | mov                 edi, ecx

        $sequence_1 = { a1???????? 50 8b00 ff5050 8d8d00ffffff 51 a1???????? }
            // n = 7, score = 200
            //   a1????????           |                     
            //   50                   | push                eax
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   ff5050               | call                dword ptr [eax + 0x50]
            //   8d8d00ffffff         | lea                 ecx, [ebp - 0x100]
            //   51                   | push                ecx
            //   a1????????           |                     

        $sequence_2 = { 035dc0 81c378a46ad7 c1c307 01cb 89df f7d7 21d7 }
            // n = 7, score = 200
            //   035dc0               | add                 ebx, dword ptr [ebp - 0x40]
            //   81c378a46ad7         | add                 ebx, 0xd76aa478
            //   c1c307               | rol                 ebx, 7
            //   01cb                 | add                 ebx, ecx
            //   89df                 | mov                 edi, ebx
            //   f7d7                 | not                 edi
            //   21d7                 | and                 edi, edx

        $sequence_3 = { 8b750c 8db5f3fdffff ff750c 56 ff15???????? }
            // n = 5, score = 200
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   8db5f3fdffff         | lea                 esi, [ebp - 0x20d]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_4 = { 6800800000 6a00 ff75f4 ff15???????? 58 }
            // n = 5, score = 200
            //   6800800000           | push                0x8000
            //   6a00                 | push                0
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   58                   | pop                 eax

        $sequence_5 = { 51 e8???????? 58 ff90b6f4ffff 59 91 09c9 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   ff90b6f4ffff         | call                dword ptr [eax - 0xb4a]
            //   59                   | pop                 ecx
            //   91                   | xchg                eax, ecx
            //   09c9                 | or                  ecx, ecx

        $sequence_6 = { ff15???????? 09c0 7468 8945ec }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   09c0                 | or                  eax, eax
            //   7468                 | je                  0x6a
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax

        $sequence_7 = { 83c408 5f 5e 59 8b55f4 }
            // n = 5, score = 200
            //   83c408               | add                 esp, 8
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   59                   | pop                 ecx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_8 = { 7445 8b45e8 0145e4 8d45ec c70000000000 50 ff75d0 }
            // n = 7, score = 200
            //   7445                 | je                  0x47
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   0145e4               | add                 dword ptr [ebp - 0x1c], eax
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   c70000000000         | mov                 dword ptr [eax], 0
            //   50                   | push                eax
            //   ff75d0               | push                dword ptr [ebp - 0x30]

        $sequence_9 = { c745e408000000 c745e810000000 c745ec20000000 c745f040000000 c745f480000000 c745f81b000000 }
            // n = 6, score = 200
            //   c745e408000000       | mov                 dword ptr [ebp - 0x1c], 8
            //   c745e810000000       | mov                 dword ptr [ebp - 0x18], 0x10
            //   c745ec20000000       | mov                 dword ptr [ebp - 0x14], 0x20
            //   c745f040000000       | mov                 dword ptr [ebp - 0x10], 0x40
            //   c745f480000000       | mov                 dword ptr [ebp - 0xc], 0x80
            //   c745f81b000000       | mov                 dword ptr [ebp - 8], 0x1b

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules